CVE-2023-23969: 
Django vulnerability analysis and mitigation

CVE-2023-23969 affects Django versions 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6. The vulnerability was discovered and disclosed on February 1, 2023. The issue affects the Django web framework's handling of Accept-Language headers (Django Security, Debian LTS).

The vulnerability stems from Django's caching mechanism for parsed Accept-Language headers, which is implemented to avoid repetitive parsing. When the raw value of Accept-Language headers is very large, this caching mechanism can lead to excessive memory usage. The issue has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

Successful exploitation of this vulnerability could lead to a denial-of-service (DoS) condition through excessive memory consumption. The impact is primarily on system availability, with no direct effect on confidentiality or integrity (NVD).

The vulnerability has been fixed by implementing a maximum length limit for parsing Accept-Language headers. Users are advised to upgrade to Django versions 3.2.17, 4.0.9, or 4.1.6 or later. The fix has been applied to Django's main branch and the 4.2, 4.1, 4.0, and 3.2 release branches (Django Security).

The Django security team classified this vulnerability as having 'moderate' severity according to their security policy. The vulnerability was responsibly disclosed by a security researcher named Mithril (Django Security).